Focused businessman working on laptop while checking smartphone in modern office.

SOC 1 Report Conveys Key Information to Retirement Plan Sponsors from TPAs

By: Saul Jimenez

Key Takeaways:

  • A SOC 1 report, or Service Organization Control 1 report, provides assurance that a service organization is practicing adequate internal controls related to the administration and management of retirement plans.
  • It can be either a Type 1 or Type 2 report; Type 2 reports provide an opinion on the operating effectiveness of the controls.
  • Obtaining a SOC 1 report can help retirement plan sponsors prepare for a first-time plan audit, as well as contain the cost and amount of testing needed.
  • A SOC 1 report is prepared by an independent auditor and evaluated based on the guidelines of SSAE No. 18.
  • It examines data security, system availability, change management, and transaction processing of the service organization’s internal controls.

SOC 1 Reports Help Sponsors Prepare for First-time Plan Audits

Assurance of strong internal controls within service organizations – or third-party administrators (TPAs) – is among the myriad of fiduciary duties faced by retirement plan sponsors and one that must be accounted for in the sponsor’s annual plan audit. But how can a plan sponsor obtain information about internal controls practiced by their service organization?

Service organizations give assurance relating to their internal controls by providing a SOC 1 report to plan sponsors.

What is a SOC 1 Report?

A SOC 1 report, also known as a Service Organization Control 1 report, is a document that provides detailed information about the internal controls and processes utilized by a service organization. In the context of retirement plan sponsors, SOC 1 reports are relevant because they assess the controls and procedures related to the administration and management of retirement plans.

Service organization control (SOC) reports can be either Type 1 or Type 2 reports. A Type 1 report is management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design of controls. A Type 2 report goes a step further, with the independent auditor also providing an opinion on the operating effectiveness of those controls.

This is important to plan sponsors, who are responsible for overseeing and managing retirement plans, such as 401(k) plans, on behalf of their employees. These plans involve complex financial transactions and require strict adherence to regulatory guidelines and industry best practices. To ensure the integrity and security of these plans, retirement plan sponsors often engage service organizations, such as third-party administrators, to assist with plan administration.

A SOC 1 report provides independent assurance that a service organization practices adequate controls to safeguard the retirement plan’s assets, protect participant data and ensure accurate and reliable plan administration.

Moreover, a SOC 1 report can help contain the amount of testing needed, as well as the cost, when a retirement plan sponsor opts to obtain an ERISA 103(a)(3)(C) audit, formerly known as a “limited scope audit.” For this type of audit, plan sponsors can exclude certain investment information from testing because it is held and certified by a qualified institution. The auditor must, however, issue an opinion on whether the information in the financial statements and supplemental schedules related to certified assets is derived from or agrees with the information prepared and certified by the qualified institution.

The SOC 1 report is prepared by an independent auditing firm. The auditor evaluates the service organization’s controls based on the Statement on Standards for Attestation Engagements (SSAE) No. 18, which provides guidelines for conducting these assessments. The audit examines the design and operating effectiveness of the controls in place, focusing on areas such as data security, system availability, change management and transaction processing.

User Control Considerations

For plan sponsors facing a first-time audit of their plan – generally required once the plan reaches 100 or more participants – the internal controls evaluated in the SOC 1 report can be instructive, since the plan sponsor – as well as the TPA – must adhere to the same procedures and controls.

If you expect the participant count in your organization’s retirement plan to exceed 100 in the foreseeable future, obtaining a SOC 1 report from your TPA in advance can help you prepare for heightened internal controls at your own company. This can further help you, as a plan sponsor, prepare for the extensive documentation requirements a first-time retirement plan audit will entail.

We’re Here to Help

If your organization is getting close to its first retirement plan audit and you would like to see a sample SOC 1 Type 2 report or discuss how you can put the necessary controls and documentation in place, contact your KRD advisor.

We’re Here to Help

Categories

Newsletter signup

Receive our informative Newsletters with valuable tax, financial and business operations information.

Related News

You might also like this
from KRD and find out more.

Close-up of a roll of 'I Voted' stickers featuring the American flag design on a white background.
2024 Post-Election Tax Policy: Potential Impacts
A group of volunteers in festive attire distributing Christmas gifts from truck.
Unlock the Power of Giving: Strategies to Connect with Donors
Hands wrapping a red Christmas gift with a 'Holly Jolly' tag, adding festive cheer.
Don’t Let Fraud Spoil the Holiday Season

Request a callback

Would you like to speak to one of our financial advisors over the phone? Just submit your details and we’ll be in touch shortly. You can also email us if you prefer.

    I would like to discuss: